W3C home > Mailing lists > Public > public-usable-authentication@w3.org > February 2008

Re: Public-Key authentication for websites

From: James A. Donald <jamesd@echeque.com>
Date: Sun, 17 Feb 2008 08:15:57 +1000
Message-ID: <47B7609D.8060002@echeque.com>
To: Johnathan Nightingale <johnath@mozilla.com>
CC: Christoph Hack <c.hack@gmx.at>, public-usable-authentication@w3.org

Johnathan Nightingale wrote:
 > As far as I know, though I haven't looked in detail,
 > most modern browsers allow sites to store client
 > certs, and to request client certificates as part of
 > the TLS handshake.

At present, the only way to use a client X.509 key is
for the site administrator to spend considerable time
and effort authorizing client keys by hand, which is in
practice so laborious it is seldom done, and if done, is
done wrong, breaking, rather than ensuring, security.

Analogous problems arise in using TLS-SRP, and indeed
in any attempt to use more modern and elegant cryptography
than shared passwords for client side identification. If
we support client side identification by GPG
certificates or SRP unshared secrets in the same way we
support client side identification using X.509
certificates, we are just as hosed as we are with X.509
certificates.  TLS-GPG will be just as unworkable for client side 
identifification as TLS-X.509 is.
Received on Saturday, 16 February 2008 22:16:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:34:15 GMT